Security of truncated hash functions
David Shaw
dshaw at jabberwocky.com
Wed Aug 2 18:25:21 CEST 2006
On Wed, Aug 02, 2006 at 12:13:49PM -0400, David Shaw wrote:
> On Sat, Jul 29, 2006 at 07:26:18PM +0930, Alphax wrote:
> > Qed wrote:
> > > Suppose you need a 160 bit digest.
> > > You can choose RIPEMD160/SHA1 or a truncated version of a bigger one
> > > (e.g.: SHA2 family).
> > > Which solution would be safer?
> > > Is a digest algo designed for a given length stronger than a truncated
> > > longer one?
> > >
> >
> > Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll
> > assume that you're asking about using the "DSA2" option to use truncated
> > hashes with DSA keys that have q=160.
> >
> > Now, I could be completely wrong, but "common sense" seems to suggest
> > that there's no reason why it's any safer; in fact, you may be worse off.
>
> Note, though, that NIST explicitly allows (i.e. requires) hash
> truncation in the new DSA spec. At least in the context of DSA, the
> official answer is that either a full SHA1 or a truncated SHA256 is
> roughly of the same safety.
Er, sorry. That should be "either a truncated SHA256 or a truncated
SHA512 is roughly of the same safety".
David
More information about the Gnupg-users
mailing list